Optimal Deep Learning Driven Intrusion Detection in SDN-Enabled IoT Environment

1  Introduction

Internet of Things (IoT) refers to a dynamic network that contains smartphones, sensor nodes, software, switches/routers and servers [1]. IoT was developed as a phenomenon. In this dynamic network, real-time data movements or activities are processed and sensed. The IoT network acts as a common platform for data transmission between the physical world and the Internet of conventional things. The idea of the IoT network has resulted in extensive consumption, production and processing of information [2]. The number of devices connected via the Internet has surpassed the global population and is expected to increase considerably in a few years [3,4].

On the other hand, the devices with constrained resources contribute to the security issues in the IoT network, which considerably augments it in terms of risks, vulnerabilities and threats [5]. In this background, an appropriate analysis of the information recorded in the IoT platforms assists in predictions and early detection of the threats [6]. The Intrusion Detection Systems (IDSs) can rectify malicious activities in the IoT network through real-time traffic analysis. The IDS takes measures to protect the system from getting damaged through attack detection and classification processes. Software-Defined Network (SDN) is a naïve concept in the networking domain that decouples the packet-forwarding plane and the control plane. The SDN approach provides a global view of the network and its centralized control [7,8]. Different authors have focused on developing novel IDSs for conventional networks in literature. These studies focused on the constrained devices in the IoT networks and the recognition of malicious activities in them [9]. Fig. 1 depicts the processes involved in the SDN environment. The concept of IDS-based software defines network systems as unique, especially in the IoT environment [6].

Figure 1: SDN environment

In conventional networks, network devices such as routers or switches can forward the data through different control mechanisms [10]. However, the SDN model conceived the network as a programmable entity and decouples both the control plane and the data plane. Here, the routers or switches simply act as a forwarding devices since the control module is operated from the centralized control. The SDN approach deals with the networks based on the abstraction of low-level functionality and maintains an Application Programmable Interface (API) to control the low-level devices [11]. In general, the SDN controller has a global view of the network, making it easy to configure it as and when required.

Furthermore, if there are any modifications to be done to the networking systems, the programmability feature of the SDN makes it relatively straightforward [9]. The security system and the associated features are programmed via an API module and are performed in a network by following the flow rules. These rules are administered through an OpenFlow protocol [12]. The programmability feature increases the flexibility of the network. As mentioned earlier, in case of a modification in the networking system, the control plane performs it instead of reconfiguring every device in the network individually.

In the study conducted earlier [13], an SDN-enabled deep-learning-driven structure was suggested for attack detection in the IoT environment. The existing classifiers such as the Cuda-Deep Neural Network (DNN), Cuda-Bidirectional Long Short Term Memory (Cu-BLSTM) and the Gated Recurrent Unit (Cu- DNNGRU) were efficiently leveraged for attack detection. In this study, a tenfold Cross-Validation (CV) was executed to display the unbiased results. Shu et al. [14] used a Deep Learning (DL) technique with generative adversary networks. They explored the distributed-SDN to devise a Collaborative IDS (CIDS) for the Vehicular Adhoc Network (VANET) model. In this model, multiple SDN controllers are allowed to train a global ID method mutually for the entire network without any direct interchange among the sub-network flows. Shrestha et al. [15] suggested a satellite-related, Unmanned Aerial Vehicle (UAV) 5G-network security method in which a Machine Learning (ML) technique was used to identify the cyberattacks and other vulnerabilities efficiently. The solution had two major phases: the model created for the intrusion detection process using several ML techniques and the application of the ML-related techniques in satellite or terrestrial gateways.

Aslam et al. [16] suggested an Adaptive ML-related SDN-enabled Distributed Denial of Service (DDoS) attack Detection and Mitigation (AMLSDM) structure. The suggested AMLSDM structure was an SDN-enabled security system for the IoT gadgets. An adaptive ML classification method was utilized to achieve fruitful mitigation and the detection of DDoS attacks. The presented structure used ML methods in an adaptive multi-layered feed forwarding method to identify the DDoS attacks in a successful manner. This was accomplished by probing the static attributes of the network traffic under review. Derhab et al. [17] suggested a security architecture in which the Software-Defined Network (SDN) model and the Blockchain technology were integrated. The suggested IDS security structure was created by integrating the K-Nearest Neighbor (KNN) technique and the Random Subspace Learning (RSL) technique. This was done to defend the forged commands that target the industrial control procedures and the Blockchain-related Integrity Checking System (BICS) that prevents the misrouting assault that meddles with the SDN-enabled industrial’s OpenFlow regulations IoT mechanisms.

The current study devises a Harmony Search algorithm-based Feature Selection with Optimal Convolutional Autoencoder (HSAFS-OCAE) for the purpose of intrusion detection in the SDN-enabled IoT environment. The presented HSAFS-OCAE method follows a three-stage process in which the Harmony Search algorithm-based FS (HSAFS) technique is first exploited for feature selection. Next, the CAE algorithm is used for the recognition and classification of the intrusions in the SDN-enabled IoT environment. Finally, the Artificial Fish Swarm Algorithm (AFSA) is used to fine-tune the hyperparameters to boost the intrusion detection performance of the CAE algorithm. The proposed HSAFS-OCAE technique was experimentally validated, and the results were assessed under different measures.

2  The Proposed Model

In this study, a new HSAFS-OCAE model has been proposed for a proficient recognition of intrusions in the SDN-enabled IoT environment. The presented HSAFS-OCAE model follows a three-stage process in which the HSAFS technique is exploited at first for feature selection. Next, the CAE approach is leveraged to recognize and classify intrusions in the SDN-enabled IoT environment. Finally, the AFSA-based hyperparameter fine-tuning process is executed to boost the intrusion detection performance of the CAE model. Fig. 2 shows the overall block diagram of the HSAFS-OCAE approach.

Figure 2: Overall block diagram of the HSAFS-OCAE approach

2.1 Design of HSAFS Technique

In this study, the HSAFS technique is exploited for feature selection. In the HSA method, the optimal solution (or component from the solution space) is named ‘harmony’ viz., n-dimensional real vector. An arbitrary value is assigned to the initial population and is loaded from the Harmony Memory (HM) [18]. Then, a novel candidate (following iteration or generation) is evaluated and the harmony is generated based on the component from HM, either by altering the pitch or through an arbitrary selection of the element from HM. Afterwards, the component from the harmony memory and the newly-evaluated candidate harmony are correlated with the least HM vector. This process is repeated to satisfy the ending criteria. The parameters of the HS optimization approach are as follows (i) Pitch Adjusting Rate (PAR) (ii) the size of the HM (iii) distance bandwidth (BW) (iv) HM Consideration Rate (HMCR), and (v) the number of iterations or improvisations (NI). It is crucial to configure the HM module (HMS Vector). Assume that xi={xi(1),xi(2),…xi(n)} characterizes an arbitrarily-evaluated HM vector: xi(k)=Xl(k)+(Xu(k)−Xl(k))∗rand(0,1)fork=1,2,…,nandi=1,2,…,HMS i.e., the length of the HM. Hence, the upper and the lower bounds of the searching space are characterized by Xl(k) and Xu(k), respectively. The HM matrix for every component is a harmony vector.

HM=[x1x2⋮xHMS](1)

In HM matrix, i.e., xnew, a harmony vector is created by three functions such as (i) the pitch adjustment (ii) memory consideration and (iii) an arbitrary re-initialization. Initially, a decision value xnew(1) is arbitrarily chosen in the harmony i.e., {x1(1),x2(1)…xHMS(1)}. To select xnew(1), an arbitrary number r1 is used in the range of 0 and 1. Once an arbitrary number is selected within the HMCR, xnew(1) is generated by considering the memory. Else xnew(1) is captured within the searching range [Xl(k),Xu(k)]. Likewise, the values are elected for the series, xnew(2),xnew(3),…,xnew(n). The two functions, such as (i) an arbitrary re-initialization and (ii) the memory consideration, are defined using the following equation.

xnew(k)={xi∈{x1(k)⋯⋯⋯⋯.xHMS(k)}Xl(k)+(Xu(k)−Xl(k))∗rand(0,1)with probability of1−HMCR(2)

The newly-generated xnew value is inspected while, on the other hand, the required value is either pitch-adjusted or not. To address these problems, a PAR entity is proposed by combining the Bandwidth Factor (BF) and the frequency. These two factors are adjusted to get a novel xnew value for the selected HM solution during the local search process. The pitch-adapted novel solution xnew is calculated as xnew(k)+/−rand(0,1). BW with a probability of PAR. This PAR is mostly similar to the mutation process from the evolutionary bio-inspired technique. The range of the PAR is limited to [Xl(k),Xu(k)].

At last, xnew, i.e., the newly-generated harmony vector, is upgraded or estimated as a novel component to fit itself between the xnew value and the worst harmony vector xw in the HM. Consequently, xw is altered by xnew, whereas the established part of the HM is identified to maximize the objective function (inter-class variance) for which the HSA is employed.

Either harmony or the solution employs a k element to decide the optimization system. The threshold value thk is applied upon a multi-level segmentation process as formulated herewith.

HM=[x1,x2⋯.,x1HMS]T,xi=[th1,th2⋯⋯thk](3)

Here, T characterizes the transpose of the matrix, and the maximum size of the HM is denoted by the HMS technique. Each element from the HM is denoted by xi which lies in the range of [0,k]. The HSAFS method derives a Fitness Function (FF) to handle the trade-off between the chosen feature count and the classification accuracy with the help of the selected features. FF is determined as given below.

Fitness=αγR(D)+β|R||C|(4)

Here, γR(D) represents the error rate of the presented classifier. |R| indicates the selected subset and |C| denotes the total feature count and α and β correspond to the constants.

2.2 Design of CAE Classification Model

In this stage, the CAE technique is used to recognize and classify intrusions in the SDN-enabled IoT environment. Autoencoder is a self-supervised learning mechanism that exploits the Neural Network (NN) for representative learning [19]. Representative learning is a method in which a scheme learns how to encode the input dataset. The Autoencoder (AE) approach maps the input datasets to a compressed domain demonstration or a low-dimension space. In the current study, a bottleneck is proposed in which an algorithm is enforced to learn how to demonstrate the compressed domains of the input dataset. In general, the AE approach encompasses four elements such as the Reconstruction Loss, Encoder Network (EN), Bottleneck Layer and Decoder Network (DN). Encoder Network is a NN system that encodes the input dataset to a compressed domain. The bottleneck layer is the final layer of the Encoder Network, and its output is called the encoded input data.

Xei+1=fej(WVejTXei+bej)∀i=0,1,2,…,N(5)

In Eq. (5), Xei corresponds to the input for the ith layer, X denotes the output of the ith layer of EN, WVei shows the weight vector for the ith layer, bei indicates the bias for the ith layer, and fei indicates the activation function for the ith layer.

Xdi+1=fdi(1WTdiXdi+bdi)∀i=0,1,2,…,N(6)

In Eq. (6), Xdi denotes the input for the ith layer of the DN method, Xdi+1 signifies the output of the ith layer, wdi shows the weight vector for the ith layer, bdi refers to the bias of the ith layer, and fdi illustrates the activation function for the ith layer. The variance between the original dataset XO and the reconstructed dataset XR is called the Reconstructed Loss. On the other hand, the Binary Cross-Entropy (BCE) and the Mean Squared Error (MSE) Loss are the two commonly-applied loss functions in the calculation of Reconstructed Loss. Here, D indicates the count of the instances in a dataset in which the AE is employed.

MSE(XO,XR)=1D∑j=1D(XjO−XjR)2(7)

BCE(XO,XR)=−1D∑j=1DXjO⋅logXjR+(1−XjO)⋅log(1−XjR)(8)

2.3 Algorithmic Process of AFSA Based Hyperparameter Tuning

Finally, the AFSA hyperparameter tuning process is performed to boost the intrusion detection performance of the CAE model. The AFSA model is a kind of swarm intelligence technique that is simulated from the behaviour of the animals [20]. In this method, the fish’s clustering, collision and foraging behaviours are simulated along with its collective support in a fish swarm to realize the optimum global point. In this Artificial Fish (AF) technique, the maximum distance that passes through is referred to as Step. The apparent distance that passes over the AF is referred to as Visual.

Further, the retry quantity is characterized by Try−Number. The crowd quantity factor is characterized by η. The place of a particular AF is referred to as the resultant vector, X=(X1,X2,…,Xn) and the distance between i and j i.e., AF is determined using dij=|Xi−Xj|. The performance function of the AF is described in the following order i.e., prey, random, follow and swarm.

Given that a fish observes the food via its eyes, the existing position is denoted by Xi along with an arbitrarily-chosen position i.e., Xj within a perceptive range as given below.

Xj=Xi+Visual×rand(0∼1)(9)

In Eq. (9), rand (0-1) characterizes an arbitrary value between [0, 1]. If Yi>Yj, the fish moves in the direction. Then, the technique arbitrarily chooses a novel position Xj to check whether it fulfils the motion condition as follows.

Xit+1=Xit+Xj−Xit‖Xj−Xit‖×Step×rand(0∼1)(10)

If it does not fulfil the motion condition Try−Number times, an arbitrary motion is created as given below.

Xit+1=Xit+Visual×rand(0∼1)(11)

In order to avoid the over-crowding issues, an artificial existing location Xi is set. Followed by, the fish amount in the nf company and Xc center in the area (dij<Visual) are determined. If Yc/nf<η×Yi, the companion’s location is characterized by the optimal food count and low-crowding. Consequently, the fish moves towards the companion area i.e., centre of the location.

Xit+1=Xit+Xc−Xit‖Xc−Xit‖×Step×rand(0∼1)(12)

Then, it begins to follow the prey’s behaviour.

The existing place of the AF swarm is referred to as Xi. The swarm describes the company Yj as Xj in the area (dij<Visual). If Yj/nf<η×Yi, then the location of the company embodies an optimal food count with a less crowd.

Xit+1=Xit+Xj−Xit‖Xj−Xit‖×Step×rand(0∼1)(13)

It allows the AF to accomplish the company as well as the food over a large region. The location is chosen in a random manner based on which the AF moves towards them.

Using the search region of Ddimension, the extremely-possible distance between the two AFs is applied to vigorously limit the Visual&Step of the AF as given below.

MaxD=(xmax−xmin)2×D(14)

In Eq. (14), xmin and xmax signify the lower and the upper limits. D denotes the dimension of the searching region.

3  Results and Discussion

The performance of the proposed HSAFS-OCAE model was experimentally validated using a dataset with 84,792 samples under six class labels as tabulated in Table 1.

The classification results accomplished by the proposed HSAFS-OCAE model are portrayed as confusion matrices in Fig. 3. The figure reports that the proposed HSAFS-OCAE model effectually recognized and classified all the input data under six class labels.

Figure 3: Confusion matrices of the HSAFS-OCAE approach (a) 80% of TR data, (b) 20% of TS data, (c) 70% of TR data, and (d) 30% of TS data

Table 2 and Fig. 4 highlight the classification outcomes achieved by the proposed HSAFS-OCAE model on 80% of the TR data. The results imply that the proposed HSAFS-OCAE model accomplished effectual outcomes under each class. For instance, on 80% of the TR data, the HSAFS-OCAE model gained an accuy of 98.75%, precn of 99.35%, recal of 99.13%, Fscore of 99.24% and an MCC of 95.76%. Then, when using 80% of the TR data, the presented HSAFS-OCAE method obtained an accuy of 99.31%, precn of 90.96%, recal of 89.77%, Fscore of 90.36% and an MCC of 90%. When using 80% of the TR data, the proposed HSAFS-OCAE model attained an accuy of 99.38%, precn of 87.85%, recal of 96%, Fscore of 91.74% and an MCC of 91.52%.

Figure 4: Analytical results of the HSAFS-OCAE approach on 80% of the TR data

Fig. 5 signifies the classification outcomes attained by the proposed HSAFS-OCAE technique on 20% of the TS data. The results denote that the HSAFS-OCAE method accomplished effectual outcomes under each class. For example, on 20% of the TS data, the HSAFS-OCAE model gained an accuy of 98.63%, precn of 99.37%, recal of 98.95%, Fscore of 99.16% and an MCC of 95.36%. Also, on 20% of the TS data, the proposed HSAFS-OCAE technique gained an accuy of 99.17%, precn of 87.92%, recal of 89.22%, Fscore of 88.56% and an MCC of 88.14%. Conversely, on 20% of the TS data, the proposed HSAFS-OCAE model gained an accuy of 99.26%, precn of 85.37%, recal of 96.28%, Fscore of 90.49% and an MCC of 90.29%.

Figure 5: Analytical results of the HSAFS-OCAE approach on 20% of the TS data

Table 3 and Fig. 6 highlight the classification outcomes of the proposed HSAFS-OCAE model on 70% of the TR dataset. The results infer that the proposed HSAFS-OCAE method accomplished effectual outcomes under each class. For example, on 70% of the TR dataset, the presented HSAFS-OCAE model attained an accuy of 98.67%, precn of 99.49%, recal of 98.89%, Fscore of 99.19% and an MCC of 95.52%. Also, on 70% of the TR dataset, the proposed HSAFS-OCAE model gained an accuy of 99.54%, precn of 92.64%, recal of 94.78%, Fscore of 93.70% and an MCC of 93.47%. Conversely, on 70% of the TR dataset, the proposed HSAFS-OCAE model reached an accuy of 99.50%, precn of 91.25%, recal of 95.11%, Fscore of 93.14% and an MCC of 92.90%.

Figure 6: Analytical results of the HSAFS-OCAE approach on 70% of the TR dataset

Fig. 7 highlights the classification outcomes achieved by the proposed HSAFS-OCAE model on 30% of the TS dataset. The results infer that the proposed HSAFS-OCAE model established effectual outcomes under each class. For example, on 30% of the TS dataset, the HSAFS-OCAE algorithm reached an accuy of 98.76%, precn of 99.54%, recal of 98.94%, Fscore of 99.24% and an MCC of 95.85%. Then, on 30% of the TS data, the proposed HSAFS-OCAE model gained an accuy of 99.52%, precn of 93.06%, recal of 94.05%, Fscore of 93.55% and an MCC of 93.30%. When using 30% of the TS dataset, the presented HSAFS-OCAE model obtained an accuy of 99.50%, precn of 90.89%, recal of 95.75%, Fscore of 93.26% and an MCC of 93.03%.

Figure 7: Analytical results of the HSAFS-OCAE approach on 30% of the TS data

Both Training Accuracy (TA) and Validation Accuracy (VA) values, acquired by the proposed HSAFS-OCAE method on test dataset, are shown in Fig. 8. The experimental outcomes imply that the proposed HSAFS-OCAE technique gained the maximal TA and VA values while the VA values were higher than the TA values.

Figure 8: TA and VA analyses results of the HSAFS-OCAE methodology

Both Training Loss (TL) and Validation Loss (VL) values, attained by the HSAFS-OCAE approach on test dataset, are displayed in Fig. 9. The experimental outcomes denote that the proposed HSAFS-OCAE algorithm exhibited the least TL and VL values while the VL values were lower than the TL values.

Figure 9: TL and VL analyses results of the HSAFS-OCAE methodology

A clear precision-recall analysis was conducted upon the HSAFS-OCAE method using the test dataset and the results are shown in Fig. 10. The figure represents that the proposed HSAFS-OCAE method produced enhanced precision-recall values under all the classes.

Figure 10: Precision-recall curve analysis results of the HSAFS-OCAE methodology

A brief ROC analysis was conducted upon the HSAFS-OCAE method using the test dataset and the results are depicted in Fig. 11. The results infer that the proposed HSAFS-OCAE technique established its supremacy in categorizing the test dataset under distinct classes.

Figure 11: ROC curve analysis results of the HSAFS-OCAE methodology

To showcase the supremacy of the proposed HSAFS-OCAE model, a comparative study was conducted, and the results are shown in Table 4 [11].

Fig. 12 demonstrates the comparison study results of the proposed HSAFS-OCAE model and other existing models in terms of accuy. The figure infers that the LSTM-CNN model and the Bi-LSTM model reported low accuy values such as 94.33% and 94.50%, respectively. In contrast, the CNN, Gated Recurrent Unit (GRU)-Recurrent Neural Network (RNN), 2L-ZED-IDS and the ANN models certainly produced increased accuy values such as 97.75%, 95.91%, 96.94% and 95.29% respectively. On the other hand, the Cu-DNNGRU + Cu-BLSTM model obtained a near-optimal accuy of 99.11%. But, the proposed HSAFS-OCAE model achieved the maximum classification performance with an accuy of 99.25%.

Figure 12: Accuy analysis results of the HSAFS-OCAE approach and other existing methodologies

Fig. 13 illustrates the comparative analysis results accomplished by the proposed HSAFS-OCAE model and other existing models in terms of precn. The figure infers that the LSTM-CNN model and the Bi-LSTM model reported the least precn values such as 87.52% and 86.20%, respectively, where as the CNN, GRU-RNN, 2L-ZED-IDS and the ANN models certainly produced enhanced precn values such as 86.53%, 87.42%, 86.75% and 87.73% correspondingly. Meanwhile, a combination of Cu-DNNGRU + Cu-BLSTM models achieved a near-optimal precn of 90.27%. But, the proposed HSAFS-OCAE model achieved the maximal classification performance with a precn of 91.71%.

Figure 13: Precn analysis results of the HSAFS-OCAE approach and other existing methodologies

Fig. 14 portrays the comparative analysis results achieved by the proposed HSAFS-OCAE method and other existing models in terms of recal. The figure implies that the LSTM-CNN model and the Bi-LSTM model produced the least recal values such as 87.85% and 86.81%, respectively, whereas the CNN, GRU-RNN, 2L-ZED-IDS and the ANN models certainly achieved high recal values such as 87.28%, 87.55%, 87.48% and 87.34% respectively. Further, a combination of Cu-DNNGRU + Cu-BLSTM models achieved a near-optimal recal of 91.99%. But, the proposed HSAFS-OCAE method accomplished the maximal classification performance with a recal of 93.44%. Based on these results and the discussion, it can be inferred that the proposed HSAFS-OCAE model achieved the maximum intrusion detection outcomes in the IoT-enabled SDN environment.

Figure 14: Recal analysis results of the HSAFS-OCAE approach and other existing methodologies

4  Conclusion

In this study, a new HSAFS-OCAE model has been devised to recognize intrusions in the SDN-enabled IoT environment proficiently. The presented HSAFS-OCAE model follows a three-stage process in which the HSAFS technique is exploited for feature selection. Next, the CAE methodology is leveraged to recognise and classify intrusions in the SDN-enabled IoT environment. Finally, the AFSA-based hyperparameter tuning process is performed to boost the intrusion detection performance of the CAE approach. The proposed HSAFS-OCAE methodology was experimentally validated under several aspects. The comparison study outcomes established the improved outcomes of the HSAFS-OCAE model over other techniques. In the future, the HSAFS-OCAE model’s performance can be improved using hybrid metaheuristic approaches.

Funding Statement: The authors extend their appreciation to the Deanship of Scientific Research at King Khalid University for funding this work through Small Groups Project under Grant Number (168/43). Princess Nourah bint Abdulrahman University Researchers Supporting Project Number (PNURSP2022R237), Princess Nourah bint Abdulrahman University, Riyadh, Saudi Arabia. The authors would like to thank the Deanship of Scientific Research at Umm Al-Qura University for supporting this work by Grant Code: (22UQU4320484DSR01).

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.